China suspected in assaults against enterprises running collaboration platform

John Leyden 06 June 2022 at 12:53 UTC

China suspected in assaults against enterprises running collaboration platform

Confluence Server and Data Center users are being urged to update their systems in response to a remote code execution (RCE) vulnerability that’s the target of active attacks in the wild.

The vulnerability (tracked as CVE-2022-26134) opens the door for even unauthenticated attackers to achieve RCE on unpatched systems, with all supported versions of Confluence Server and Data Center affected. End-of-life versions are also likely to be impacted, but this is unconfirmed.

Users are urged to apply patches published by Atlassian, the software developer behind Confluence, on Friday (June 3). Enterprises unable to patch should apply the recommended workarounds, as explained in an advisory by Atlassian.

**CISA warning**

The US Cybersecurity and Infrastructure Security Agency (CISA) is advising US federal agencies to block internet traffic to Confluence Server and Data Center installs and apply Atlassian’s patch or else remove affected instances by the close of business on Monday, June 6.

Attacks against the vulnerability on internet-facing Atlassian Confluence servers have been logged by threat response specialists at both Volexity and Rapid7’s Managed Detection and Response (MDR) team.

Catch up with the latest cyber-attack news and analysis

Volexity reports that attacks began last week on what was at the time a zero-day vulnerability in Atlassian Confluence Server. The RCE vulnerability was used to deploy an in-memory Java-based web server implant, known as ‘Behinder’, in an attempt to evade detection.

“Once Behinder was deployed, the attacker used the in-memory webshell to deploy two additional webshells to disk: CHINA CHOPPER and a custom file upload shell,” Volexity explains in a technical blog post.

The tools and technique behind the attack have allow Volexity threat researcher Paul Rascagnères to identify China as the most likely suspect.

Confluence is a popular web-based collaboration software platform. The Daily Swig asked Volexity to offer an estimate on the number of vulnerable internet-facing Confluence servers as well as speculating on the end goal of the attacks.

No word back, as yet, but we’ll update this story as and when more information comes to hand.

DON’T MISS Researcher goes public with WordPress CSP bypass hack

Incoming! Atlassian Confluence attacks prompt calls for rapid patching

The Parrot traffic direction system (TDS) that came to light earlier this year has had a larger impact than previously thought, according to new research.
Sucuri, which has been tracking the same campaign since February 2019 under the name "NDSW/NDSX," said that "the malware was one of the top infections" detected in 2021, accounting for more than 61,000 websites.
Parrot TDS was documented in

The Parrot traffic direction system (TDS) that came to light earlier this year has had a larger impact than previously thought, according to new research.

Sucuri, which has been tracking the same campaign since February 2019 under the name "NDSW/NDSX," said that "the malware was one of the top infections" detected in 2021, accounting for more than 61,000 websites.

Parrot TDS was documented in April 2022 by Czech cybersecurity company Avast, noting that the PHP script had ensnared web servers hosting more than 16,500 websites to act as a gateway for further attack campaigns.

This involves appending a piece of malicious code to all JavaScript files on compromised web servers hosting content management systems (CMS) such as WordPress that are in turn said to be breached by taking advantage of weak login credentials and vulnerable plugins.

Besides using different obfuscation tactics to conceal the code, the "injected JavaScript may also be found well indented so that it looks less suspicious to a casual observer," Sucuri researcher Denis Sinegubko said.

JavaScript variant using the ndsj variable

The goal of the JavaScript code is to kick-start the second phase of the attack, which is to execute a PHP script that's already deployed on the ever and is designed to gather information about a site visitor (e.g., IP address, referrer, browser, etc.) and transmit the details to a remote server.

Typical obfuscated PHP malware found in NDSW campaign

The third layer of the attack arrives in the form of a JavaScript code from the server, which acts as a traffic direction system to decide the exact payload to deliver for a specific user based on the information shared in the previous step.

"Once the TDS has verified the eligibility of a specific site visitor, the NDSX script loads the final payload from a third-party website," Sinegubko said. The most commonly used third-stage malware is a JavaScript downloader named FakeUpdates (aka SocGholish).

In 2021 alone, Sucuri said it removed Parrot TDS from nearly 20 million JavaScript files found on infected sites. In the first five months of 2022, over 2,900 PHP and 1.64 million JavaScript files have been observed containing the malware.

"The NDSW malware campaign is extremely successful because it uses a versatile exploitation toolkit that constantly adds new disclosed and 0-day vulnerabilities," Sinegubko explained.

"Once the bad actor has gained unauthorized access to the environment, they add various backdoors and CMS admin users to maintain access to the compromised website long after the original vulnerability is closed."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover Malware Controlling Thousands of Sites in Parrot TDS Network

By Owais Sultan
Hosting a website is not only about the domain name. It also includes web hosting services, which provide…
This is a post from HackRead.com Read the original post: Types of Web Hosting and How Much Does It Cost To Host A Website?

Hosting a website is not only about the domain name. It also includes web hosting services, which provide the technology and support needed to get your website online. The cost of these services can vary greatly, so it’s important to understand what you’re paying for.

In this article, we are going to take a look at the different types of web hosting services and how much they typically cost. We’ll also provide some tips on how to save money on web hosting services.

**Shared Hosting**

With a revenue share of over 37.64%, Shared hosting is the most popular type of web hosting. This is because it’s the most affordable option. 

With shared hosting, your website shares a server with other websites. This means that the resources of the server are divided among all of the websites on it.

You may need to part with $3-$14 per month for this hosting. The cost depends on an array of factors, including the number of websites you have, the size of your website, and the features you need.

For example, if you have a small website that doesn’t get much traffic, you can get away with a cheaper shared hosting plan. But if you have a large website that gets a lot of traffic, you’ll need to spend more on a plan with more resources.

**VPS Hosting**

VPS hosting is a step up from shared hosting. With VPS hosting, your website is still sharing a server with other websites. But the server is divided into virtual private servers, or “VPS.” Each VPS has its own resources, so your website won’t be impacted by the other websites on the server.

VPS hosting typically costs about $18-$90 per month. The cost depends on the size of the server, the features you need, and the level of support you require.

**Dedicated Hosting**

With dedicated hosting, your website is the only one on the server. This means you have full control over the resources of the server.

The cost of dedicated hosting ranges from about $80-$600 per month. It is the most expensive type of hosting, but it is also the most reliable. If you have a large website with a lot of traffic, dedicated hosting is the best option for you.

Some of the reasons that make dedicated hosting more expensive than other types of hosting include:

*   You are the only one using the server, so you are responsible for the entire cost of the server.
*   Dedicated servers usually have more features, advanced web hosting security, and better performance.
*   The company that owns the server will provide support and maintenance at an additional fee.

**Managed WordPress Hosting**

Managed WordPress hosting is a type of dedicated hosting specifically for WordPress websites. With managed WordPress hosting, your website will be hosted on a server that is optimized for WordPress.

The cost of managed WordPress hosting ranges from about $2-$250 per month. The cost depends on the features and level of support you need.

Some managed WordPress hosts allow you to only pay for the resources you want to use. This is known as the pay-as-you-go pricing model. For example, the cost to host a WordPress site on AWS is not fixed. You can pay as much or as little as you want, depending on how many resources you need. This can be a great way to save money.

**Cloud Hosting**

Cloud hosting is a type of web hosting that uses a network of servers to store your website. The benefit of cloud hosting is that you can scale your website up or down as needed.

The cost of cloud hosting ranges from about $5-$50 per month. Some service providers offer way cheaper rates, but those usually have low-end servers with limited resources.

The main advantage of cloud hosting is that you only pay for the resources you use. For example, if you have a website that gets a lot of traffic, you can scale up your server to meet the demand. Then, when the traffic goes down, you can scale down your server to save money.

**Tips for Saving Money on Hosting**

There are a few things you can do to save money on hosting:

**Shop Around**

Choosing a hosting service should not be a rushed decision. Take time to compare different companies and plans. Look at the features they offer, the level of support, and the resources you get in each plan. This will help you find the best hosting company for your needs.

**Look for Discounts and Coupons**

Some hosting companies offer discounts and coupons to new customers. This can help you save money on your first year of hosting. Check the hosting company’s website or search online for coupons before you purchase a plan.

**Only Pay for Necessary Services**

The worst mistake you can make is to overpay for hosting services. Make sure you only pay for the features and resources that you need. There is no need to pay for extras that you will never use.

**Pay for Longer**

Hosting companies often offer discounts for customers who pay for longer terms in advance. For example, you may be able to get a discount if you pay for 12 months of hosting instead of just one month. This can help you save money in the long run.

**Final Thoughts**

The cost of hosting a website can vary depending on your needs. If you are just starting out, you can find affordable shared hosting plans. As your website grows, you may need to upgrade to a more expensive type of hosting such as dedicated or cloud hosting.

Make sure you choose your hosting depending on your unique needs and budget. Don’t let the pricing alone be the deciding factor. Take time to compare different hosting companies and find the best option for you.

**More Web Hosting Topics**

1.  What Brings The Essence Of Secured Web Hosting
2.  VPS Hosting Vs. Dedicated Servers – Which Is Better?
3.  7 Essential Hosting Features You Can’t Compromise With
4.  DreamHost hosting firm exposed almost a billion sensitive records
5.  Managed vs. Unmanaged VPS hosting – What are the Differences?

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Types of Web Hosting and How Much Does It Cost To Host A Website?

Responsive Online Blog v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at single.php.

Submitted by donbermoy on Thursday, February 4, 2021 - 10:41.

This is a **Responsive Online Blogging Site** using **PHP/MySQL** that I did in my previous years as a project to my client for his Thesis/Capstone Project. I may say that this is a responsive web application because it has a lot of features such as calculating the views coming from the guests, embedded a map, and many more features.

The online site has an admin panel where published blogs, categories, drafts, web details, links, editor's choice, and the admin stats. The admin can also post his desired blog of the day and well as managing it also.

Just like other **Blogging sites**, this project offers users to read blogs of various categories. From the admin panel, he/she can add categories, manage posts and delete categories. The layout is pretty similar to WordPress blogging theme. Here, the site administrator can add a number of posts according to the categories they want and the blogs can also be viewed by selecting a certain category. The design of this project is simple and the user won’t find it difficult to understand, use and navigate.

****Features****

**Admin**

*   **Manage Blog Categories**
*   **Manage Blogs**
*   **Manage Website Details**
*   **Manage Editors Choice Contents**
*   **Admin Statistic Report**

**Website**

*   **Mobile Responsive Design**
*   **Home Page**
*   **Blog List**
*   **Display Website Information**
*   **Author Registration**
*   **View Blog Content**

****How to Run****

Just follow all the instructions to run it smoothly.

**Requirements:**

*   **Download** and **Install** any **local web server** such as **XAMPP/WAMP.**
*   **Download** and **Extract** the provided source code **zip** file. (download button is located below)

**Installation**

*   **Open** your **XAMPP/WAMP's Control Panel** and start the **"Apache"** and **"MySQL"**.
*   If you using **XAMPP**, **copy** the extracted folder and **paste** it into the xampp's **"htdocs" directory** (C:\\xampp\\htdocs). And if you are using **WAMP**, **paste** it inside the **"www" directory**.
*   **Locate** the **SQL file** from the source code folder. The file is known as **"blog\_admin\_db.sql"** and located inside the **"databasefile" directory.**
*   **Open** a web browser and browse the **PHPMyAdmin**. (http://localhost/phpmyadmin)
*   **Create** a new **database** naming **"blog\_admin\_db"**.
*   **Import** the **SQL** file in your **newly created database**.
*   Open a web browser and browse the web application. **(http://localhost/resblog)**

**You can access this system using the following accounts**

*   Username: **admin**
*   Password: **admin**

**Installation DEMO**

That's it you can now test the Blog Site project. I hope this will help you with what you are looking for.

**Enjoy Coding :)**

**Engr. Lyndon R. Bermoy**  
IT Instructor/System Developer/Android Developer  
Mobile: 09079373999  
Telephone: 826-9296  
E-mail:\[email protected\]

Visit and like my page on Facebook at Bermz ISware Solutions

Subscribe to my YouTube Channel at SerBermz

Visit my website at CampCodes

*   28655 views

CVE-2022-29659: Responsive Online Blog Website using PHP/MySQL with Source Code

Cross-Site Request Forgery (CSRF) vulnerability in Social Share Buttons by Supsystic plugin <= 2.2.2 at WordPress.

 Not fixed

**4.3**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Software

Social Share Buttons by Supsystic

Vulnerable versions

<= 2.2.2

PSID 

55c61e6d8a44

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Credits

 Rasi Afeef (Patchstack Alliance)

Publicly disclosed

2022-05-27

**Details**

Cross-Site Request Forgery (CSRF) vulnerability was discovered by Rasi Afeef (Patchstack Alliance) in the WordPress Social Share Buttons by Supsystic plugin (versions <= 2.2.2).

**Solution**

Deactivate and delete. No reply from the vendor. Plugin closed.

**References**

CVE-2021-36890 Plugin page

CVE-2021-36890: WordPress Social Share Buttons by Supsystic plugin <= 2.2.2 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Authenticated (author or higher role) Stored Cross-Site Scripting (XSS) vulnerability in Fatcat Apps Easy Pricing Tables plugin <= 3.1.2 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

*   The **Easy Pricing Tables** WordPress Plugin makes it easy to create and publish beautiful pricing tables and comparison tables on your WordPress site. You can build, customize and publish a pricing table in just a few minutes, straight from the post editor, with zero coding required.

View screenshots of WordPress pricing tables built with this plugin.

View Easy Pricing Tables Premium Live Demo »

> **Gutenberg Compatible**
> 
> This plugin is fully compatible with WordPress 5.0’s new block editor (“Gutenberg”). You can build and edit pricing tables directly in the post editor. Also features support for classic editor and page builders.
> 
> **Easy Pricing Tables Premium**
> 
> Easy Pricing Tables Premium comes with the following features.
> 
> Six Gorgeous Pricing Table Designs.  
> Comparison Tables.  
> Fully Customize your Pricing Table (Colors, etc…).  
> Choose From 15 Font Options.  
> Add Inline Images to Pricing Tables.  
> One-Click WooCommerce Integration.  
> Priority Email Support.  
> Pricing Toggles (switch between multiple pricing tables – eg. currencies or monthly/yearly pricing.  
> And much more….
> 
> Learn more about Easy Pricing Tables Premium >>

**Overview**

Easy Pricing Tables is the first WordPress pricing table plugin built specifically for the block editor.

Building pricing tables on your site has never been easier. Simply add the pricing table block to your post, fill in your prices and features, and publish.

No coding required. Easy Pricing Tables lets anyone create a responsive pricing table in just a few minutes.

**Easy Pricing Tables – WordPress Pricing Table Plugin Features**

*   Build beautiful WordPress pricing tables in minutes.
    
*   Works with any WordPress theme.
    
*   Responsive WordPress Pricing Tables – responds to fit any device.
    
*   Easy Pricing Tables implements conversion rate optimization (CRO) best practices and guides you through the process of creating a pricing table that converts.
    
*   Easy Pricing Tables works with any WordPress theme you have installed. Use the pricing table block to build pricing tables in the post editor, or build in the plugin dashboard and add to your page via shortcode.
    
*   Gutenberg / WordPress 5.0 compatible. Not just compatible. Easy Pricing Tables is built specifically for the block editor.
    
*   Intuitive User Interface – building pricing tables has never been easier. Point and click to edit your table.
    
*   Create unlimited pricing table rows.
    
*   Customize your pricing table design with color pickers, font pickers and native design settings.
    
*   Reorder pricing table columns with one click.
    
*   Featured Column – draw people to your most popular products by highlighting a featured column.
    
*   Save pricing tables as reusable blocks to add in multiple posts or pages.
    
*   Shortcode support for use with classic editor and page builders.
    
*   Add PayPal payment links, Stripe payment links, or any other checkout link to your pricing table buttons.
    
*   Automatically match column heights to keep rows aligned.
    
*   Customize text size and formatting with one click.
    
*   Check out Easy Pricing Tables Premium
    

**WordPress.org Support**

> As this is the lite version of this WordPress pricing table plugin, the only support we offer through these forums is for bugs. Support for questions regarding modifying your pricing tables, writing custom CSS, etc is available for customers of Easy Pricing Tables Premium.

**Privacy Disclosure**

This plugin does not store any personal data.

Our full privacy policy is available here: https://fatcatapps.com/legal/privacy-policy/

This plugin provides 2 blocks.

*   Easy Pricing Table
*   Pricing Tables (Legacy)

1.  Upload the Easy Pricing Tables plugin file (easy-pricing-tables.zip) to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress
3.  In your sidebar, select ‘Pricing Tables -> Add New’ to create a new table

**Can I use Easy Pricing Tables with Elementor?**

Yes, Easy Pricing Tables is compatible with Elementor and any other page builder plugin that supports shortcodes.

To add a pricing table anywhere other than the block editor, go to the Easy Pricing Tables plugin dashboard, create your table, and add it to your post with the shortcode provided.

**How can I save pricing tables to publish in multiple parts of my site?**

Create your pricing table and save it as a reusable block. Choose this reusable block anywhere you wish to add your pricing table.

**How do I change the width of my pricing table?**

Your pricing tables will fit to the content area your theme allows. You can edit how wide or narrow it appears with the “change alignment” setting (in the settings toolbar above the block). Change the alignment settings to set how much of the content area your pricing table fits to (e.g. “wide width” or “full width”).

**How can I integrate Easy Pricing Tables with WooCommerce?**

Easy Pricing Tables premium comes with a one-click integration to add WooCommerce products to your pricing table. Check out Easy Pricing Tables Premium here.

Looks great, is fluid, and customisable. Perfect. Love it.

Easy to setup and works beatifully. Love that you can include logo images in table.

Been using this plugin for almost a year now, the legacy version, works perfect for my needs.

Well, the free plugin is complete waste of time.

Great plugin for creating pricing tables.

Read all 128 reviews

“Pricing Tables WordPress Plugin – Easy Pricing Tables” is open source software. The following people have contributed to this plugin.

Contributors

CVE-2021-36866: Pricing Tables WordPress Plugin – Easy Pricing Tables

EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.

An Internet of Things (IoT) botnet dubbed “EnemyBot" is expanding its front lines to target security vulnerabilities in enterprise services — potentially leading to it being a much more virulent threat than it has been, researchers say.

EnemyBot, which is controlled by a threat actor known as Keksec, is a Linux botnet that emerged on the malware scene in late March. It shares source code with two other well-known botnets, Gafgyt (aka Bashlite) and the mighty Mirai, according to a prior analysis from Fortinet. Like those threats, EnemyBot is used to carry out distributed denial-of-service (DDoS) attacks. Other aspects of the code include smaller elements from Qbot and other malware, and some custom development.

While it began life focusing on adding IoT devices and routers to its botnet footprint, EnemyBot has now evolved to add remote code execution (RCE) exploits for a host of popular business applications, including VMware Workspace ONE, Adobe ColdFusion, WordPress sites (via vulnerable plug-ins like Video Synchro PDF), PHP Scriptcase, and others, according to researchers at AT&T Labs. 

Researchers discovered that the group is using a mix of recent, so-called "one-day" bugs, as well as older known issues, looking to take advantage in lags in patching.

Keksec is "now targeting IoT devices, web servers, Android devices and content management system (CMS) servers," according to the firm's recent report, which notes that the latest version of EnemyBot adds a webscan function containing a total of 24 exploits to attack vulnerabilities of different devices and Web servers and self-propagate. 

The enterprise-focused exploits that were recently added include:

*   Log4Shell vulns: CVE-2021-44228, CVE-2021-45046
*   F5 BIG IP devices: CVE-2022-1388
*   Spring Cloud Gateway: CVE-2022-22947
*   TOTOLink A3000RU wireless router: CVE-2022-25075
*   Kramer VIAWare: CVE-2021-35064
*   PHP Scriptcase: No CVE yet assigned
*   Adobe ColdFusion 11: No CVE yet assigned

"The nature of devices and systems targeted through EnemyBot is different than vulnerabilities aimed at corporate datacenters," Bud Broomhead, CEO at Viakoo, tells Dark Reading. "WordPress installations, Android devices, IoT devices and other targets for EnemyBot are all widely deployed (therefore might be hard to find), are operated by organizations of all sizes, and are often managed by lines of business that lack cybersecurity skills."

**EnemyBot: A Super Soldier?**

In addition to the DDoS capabilities, EnemyBot can also receive commands to download and execute new code that could add to its functions or update its vulnerability list, according to the analysis. This means that, worryingly, the malware can adopt new vulnerabilities within days of those issues being discovered, researchers warned, as seen when it added a bug tracked as CVE-2022-22954 affecting VMware Workspace ONE, almost immediately after disclosure.

Sean Malone, CISO at Demandbase, says that given its rapid development, EnemyBot and others like it present a new urgency for enterprise defenders.

"The rapid weaponization of newly released vulnerabilities highlights the need to be able to patch almost instantaneously when new vulnerabilities are identified," he tells Dark Reading. "We should assume that every piece of software, every application development framework, and every IoT device will have a critical vulnerability identified at some point. Our architectures should be designed to limit the available attack surface, and mitigate the blast radius of a compromised system through defense-in-depth measures."

That should include adding the ability to profile systems and network traffic to know what normal looks like, and alert when the system activity and network traffic deviates from that baseline, he adds.

"This botnet emphasizes the need for rapid patching of internet facing devices and the risks of running apps in the cloud," says John Bambenek, principal threat hunter at Netenrich. "This traffic is easily spotted on the wire, but in typical cloud deployments, organizations aren’t able to run network intrusion detection. If organizations aren’t running NIDS or rapidly patching, they are both blind and vulnerable."

**Keksec & EnemyBot's Future**

For its part, Keksec is a well-resourced group that has been around since 2016, making a name for itself by creating various botnets-for-hire. It's known for exploiting vulnerabilities to invade multiple architectures with polymorphic tools (these can include Linux and Windows payloads, as well as custom Python malware), in order to accomplish everything from DDoS to cryptomining to espionage.

For instance, last year the operators made headlines with the "Simps" botnet, which was built for DDoS attacks on gaming targets. Another of its creations is the HybridMQ-keksec botnet, a Frankenstein-like effort created by combining and modifying the source code of Mirai and Gafgyt, just like EnemyBot.

Keksec is constantly adding to its arsenal, and "has the ability to update and add new capabilities to its arsenal of malware on a daily basis," the AT&T Labs researchers note. And indeed, with the new ability to compromise enterprise services and devices, EnemyBot could be poised to ramp up the volume of its attacks.

"In addition, the malware base source code can now be found online on GitHub, making it widely accessible," according to AT&T Labs, whose researchers also note that this won't be the only new EnemyBot variant to bubble up from Keksec's laboratory. "The developer of the GitHub page on EnemyBot self-describes as a 'full time malware dev,' that is also available for contract work."

That spells swelling attack volumes, researchers warn.

"Being available through GitHub means that many types of threat actors, from professional cybercriminals to amateurs, will be able to adapt EnemyBot into new and multiple variants," says Broomhead. "Without question, this is a red-lights-flashing warning sign for organizations to improve their discovery, threat assessment, and remediation capabilities."

EnemyBot Puts Enterprises in the Crosshairs With Raft of '1-Day' Bugs

Technique skirts web security controls

A security researcher has discovered a neat, albeit partially developed, technique to bypass CSP (Content Security Policy) controls using WordPress.

The hack, discovered by security researcher Paulos Yibelo, relies on abusing same origin method execution.

This technique uses JSON padding to call a function. That’s the sort of thing that might allow the compromise of a WordPress account but only with the addition of a cross-site scripting (XSS) exploit, which the researcher doesn’t have as yet.

Catch up with the latest WordPress related security news

Yibelo told The Daily Swig that they have not gone as far as attempting the trick on live sites, restricting exploits to a test research site they themselves owned.

“I haven’t really attempted to because it requires a logged in WordPress user or admin to visit my website, so I install the plugin and have a HTML injection – which is illegal to do,” Yibelo explained, adding they hadn’t attempted to exploit the bug in the wild on bug bounty sites either.

The researcher added that they reported it to WordPress three months ago via HackerOne. After failing to get a reply, Yibelo went public with the findings through a technical blog post.

**Endpoint endgame**

Attacks are potentially possible in two scenarios: 1) websites that don’t use WordPress directly but have an endpoint of WordPress on the same-domain or subdomain, and 2) a website hosted on WordPress with a CSP header.

The potential impact is severe, as Yibelo’s blog post explains:

If an attacker finds an HTML injection vulnerability within the main domain (ex: website1.com – not WordPress,) using this vulnerability, they can use a WordPress endpoint to upgrade a useless HTML Injection to a full blown XSS that can be escalated to perform \[remote code execution\] RCE. This means having WordPress anywhere on the site defeats the purpose of having a secure CSP.

The Daily Swig invited WordPress’s core development team to comment on the research. No word back, as yet, but we’ll update this story as and when we hear more.

Yibelo concluded: “I hope Wordpress fixes it so CSP stays relevant on sites that host a WordPress endpoint.”

Content Security Policy is a technology set by websites and used by browsers that can block external resources and prevent XSS attacks.

YOU MAY ALSO LIKE WordPress theme Jupiter patches critical security hole

Researcher goes public with WordPress CSP bypass hack

As many as 47,337 malicious plugins have been uncovered on 24,931 unique websites, out of which 3,685 plugins were sold on legitimate marketplaces, netting the attackers $41,500 in illegal revenues.
The findings come from a new tool called YODA that aims to detect rogue WordPress plugins and track down their origin, according to an 8-year-long study conducted by a group of researchers from the

As many as 47,337 malicious plugins have been uncovered on 24,931 unique websites, out of which 3,685 plugins were sold on legitimate marketplaces, netting the attackers $41,500 in illegal revenues.

The findings come from a new tool called YODA that aims to detect rogue WordPress plugins and track down their origin, according to an 8-year-long study conducted by a group of researchers from the Georgia Institute of Technology.

"Attackers impersonated benign plugin authors and spread malware by distributing pirated plugins," the researchers said in a new paper titled "**Mistrust Plugins You Must**."

"The number of malicious plugins on websites has steadily increased over the years, and malicious activity peaked in March 2020. Shockingly, 94% of the malicious plugins installed over those 8 years are still active today."

The large-scale research entailed analyzing WordPress plugins installed in 410,122 unique web servers dating all the way back to 2012, finding that plugins that cost a total of $834,000 were infected post-deployment by threat actors.

YODA can be integrated directly into a website and a web server hosting provider, or deployed by a plugin marketplace. In addition to detecting hidden and malware-rigged add-ons, the framework can also be used to identify a plugin's provenance and its ownership.

It achieves this by performing an analysis of the server-side code files and the associated metadata (e.g., comments) to detect the plugins, followed by carrying out a syntactic and semantic analysis to flag malicious behavior.

The semantic model accounts for a wide range of red flags, including web shell, function to insert new posts, password-protected execution of injected code, spam, code obfuscation, blackout SEO, malware downloader, malvertising, and cryptocurrency miners.

Some of the noteworthy findings are as follows -

*   3,452 plugins available in legitimate plugin marketplaces facilitated spam injection
*   40,533 plugins were infected post-deployment across 18,034 websites
*   Nulled plugins — WordPress plugins or themes that have been tampered to download malicious code on the servers — accounted for 8,525 of the total malicious add-ons, with roughly 75% of the pirated plugins cheating developers out of $228,000 in revenues

"Using YODA, website owners and hosting providers can identify malicious plugins on the web server; plugin developers and marketplaces can vet their plugins before distribution," the researchers pointed out.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

YODA Tool Found ~47,000 Malicious WordPress Plugins Installed in Over 24,000 Sites

Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.

Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.

A rapidly evolving IoT malware dubbed “EnemyBot” is targeting content management systems (CMS), web servers and Android devices. Threat actor group “Keksec” is believed behind the distribution of the malware, according to researchers.

“Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices,” reported AT&T Alien labs in a recent post. “The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities,” they added.

 According to AT&T’s analysis of the malware‘s code base, EnemyBot borrows generously from code used by other botnets such as Mirai, Qbot and Zbot. The Keksec group distributes the malware by targeting Linux machines and IoT devices, this threat group was formed back in 2016 and includes several botnet actors.

****EnemyBot Working****

The Alien lab research team study found four main sections of the malware.

The first section is a python script ‘cc7.py’, used to download all dependencies and compile the malware into different OS architectures (x86, ARM, macOS, OpenBSD, PowerPC, MIPS). After compilation, a batch file “update.sh” is created and used to spread the malware to vulnerable targets.

The second section is the main botnet source code, which includes all the other functionality of the malware excluding the main part and incorporates source codes of the various botnets that can combine to perform an attack.

The third module is obfuscation segment “hide.c” and is compiled and executed manually to encode /decode the malware strings. A simple swap table is used to hide strings and “each char is replaced with a corresponding char in the table” according to researchers.

The last segment includes a command-and-control (CC) component to receive vital actions and payloads from attackers.

AT&T researcher’s further analysis revealed a new scanner function to hunt vulnerable IP addresses and an “adb\_infect” function that is used to attack Android devices.

ADB or Android Debug Bridge is a command-line tool that allows you to communicate with a device.

“In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing shell command,” said the researcher.

“Keksec’s EnemyBot appears to be just starting to spread, however due to the authors’ rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,” the researchers added.

This Linux-based botnet EnemyBot was first discovered by Securonix in March 2022, and later in-depth analysis was done by Fortinet.

****Vulnerabilities Currently Exploited by EnemyBot****

The AT&T researchers release a list of vulnerabilities that are currently exploited by the Enemybot, some of them are not assigned a CVE yet.

The list includes Log4shell vulnerability (CVE-2021-44228, CVE-2021-45046), F5 BIG IP devices (CVE-2022-1388), and others. Some of the vulnerabilities were not assigned a CVE yet such as PHP Scriptcase and Adobe ColdFusion 11.

*   Log4shell vulnerability – CVE-2021-44228, CVE-2021-45046
*   F5 BIG IP devices – CVE-2022-1388
*   Spring Cloud Gateway – CVE-2022-22947
*   TOTOLink A3000RU wireless router – CVE-2022-25075
*   Kramer VIAWare – CVE-2021-35064

“This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread,” the researcher explained.

****Recommended Actions** **

The Alien lab researcher suggests methods to protect from the exploitation. Users are advised to use a properly configured firewall and focus on reducing Linux server and IOT devices’ exposure to the internet.

Another action recommended is to monitor the network traffic, scan the outbound ports and look for the suspicious bandwidth usage. Software should be updated automatically and patched with the latest security update.

Tag

#wordpress